GDPR: A guide for IT consultants

Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.

The European Unions’ General Data Protection Regulation (GDPR) will replace the current Data Protection Act on May 25th, 2018.

The new regulations mean that businesses will no longer be able to capture, manage and store data the way they do now, and failure to comply with the new rules will result in penalties as high as €20 Million or 4% of the annual global turnover – whichever is higher.

GDPR applies to any business that processes or stores data belonging to individuals residing in the U.K – regardless of where the company is based.

While complying with GDPR is the responsibility of business owners, IT consultants have a significant role to play in ensuring the businesses they work for, or work with, are meeting the new criteria of rules. Business owners will put a substantial amount of trust in IT consultants to make sure their business is GDPR compliant.

Whether you’re a self-employed IT consultant or work within a business’ IT department, this guide will outline the main requirements to achieve compliance with GDPR.

This guide includes:

What is the GDPR?

What does the GDPR mean for I.T consultants?

What happens if I.T consultants do not comply with the GDPR?

1. What is the GDPR?

The GDPR (General Data Protection Regulation) has been created by the European Union Parliament to strengthen the protection of data for all individuals within the European Union (EU).

The regulations allow individuals, also referred to as ‘data subjects’, more control over their personal data. The rules also provide a more a unified approach to regulation across all of the EU.

Under GDPR, individuals will have increased rights regarding their personal information and it is down to IT consultant to make sure data requests are met.

Individuals will have the right to:

Access their data

Data subjects can access their data at any time, and have the right to know how the business is using it. A copy of the data must be given to the data subject free of charge and in electronic form if requested.

Delete their data

Data subjects can withdraw their consent for a business to use their data and request for it to be permanently removed.

Transfer their data

Data subjects can request for their data to be transferred to another provider and the business must carry this out via a commonly used, accessible, readable format.

Be informed of data processing

Data subjects must be notified by the business before they gather personal data on the individual, and this must be achieved via a transparent opt-in process where the individual gives consent.

Correct their data

Every individual in the EU has the right to amend or update data that is related to them.

Restrict processing of their data

Data subjects can stop their data from being used for processing. This means their records can remain in place with the business, but must not be used.

Object to processing their data

Data subjects have the right to stop their data from being processed and used for marketing activities – without any exemptions. The business must immediately stop using the individuals’ data after receiving the request.

Be notified of a data breach

If a breach occurs in the business and the individuals’ data is at risk of being compromised, the business must inform the data subject within 72 hours of the violation.

2. What does the GDPR mean for IT consultants?

GDPR means IT roles must change the way data is collected, stored and managed within the business to comply with the new rules and avoid penalties.

IT departments must consider the following to be GDPR compliant:

How they collect and process data

Some businesses use an automated digital capture form to log data, and others use a spreadsheet to store data manually. Regardless of how you process and store data, the GDPR will apply.

Before changes can be made, consultants need to clearly identify where personal data is located and exactly what the information is used for.

Most businesses have different departments where multiple people have access to personal information. IT consultants may need to ask every employee that comes across personal data where and how the data is stored. They will also need to consider software programs such as CRM’s (Customer Relationship Management), support and marketing systems, and even cloud services to locate all current data.

When collecting new data, the business must inform the data subject of the purpose of the data collection, before the data is collected. The data subject must also clearly ‘opt-in’ to giving their data, instead of the current widely-used method of pre-ticked boxes. These, along with hidden disclaimers in small print, will not be allowed under the GDPR.

IT consultants must ensure that the website for the business reflects GDPR and includes compliant opt-in methods of data collection, an option for data subjects to withdraw their consent, and also a fair processing notice which simply states what the business intends to use the data for, and also notifies the user of their data rights.

Given that the current opt-in method of data collection is predominantly used for sales and marketing, IT consultants will need to make sure these departments are aware of the severity of the regulations and encourage them to co-operate.

Data subjects also have the right to withdraw their consent at any time, and if a request is made by an individual to remove their data, the business must act immediately.

The GDPR states that data should only be kept for the period it is needed, and businesses should refrain from hanging on to data that is out of date or not being used. IT consultants will need to establish how the data is permanently removed from every system simultaneously and guarantee that automatic syncing doesn’t bring the data back.

For businesses that process high volumes of personal data or have more than 250 employees, a data protection officer (DPO) is required under GDPR to work along-side the IT consultant and communicate with senior management regarding the business’ data practices.

How to manage the flow of data

As soon as data is collected, the business becomes accountable for the use of it. The IT consultant must ensure that the flow of data follows compliant guidelines. If data is shared by accident or ends up in the wrong hands, this will be classed as a breach of GDPR.

To prevent this, adequate solutions need to be in place regarding file sharing, collaboration tools and third-party software. All file sharing tools must have a secure admin dashboard in place for consultants to oversee what is going on at all times and act on any irregularities. The consultant should also be able to see the devices involved and create a report with data results.

There is also the issue of data transfers outside the EU. Examples of this include transferring data to a company’s department that is based outside the EU, outsourcing to a non-EU data processor; and saving data onto a shared file service which is hosted outside the EU.

Before a transfer outside the EU can take place, the data controller must inform the user of this action by having a legal contract in place where the user can opt-out.

However, some countries in the EU have adequate data protection laws in place which allow controllers to transfer data from the EU into these countries without the need for other legal contracts.

The current list of countries is:

Andorra

Argentina

Canada (commercial organisations)

Faeroe Islands

Guernsey

Israel

Isle of Man

Jersey

New Zealand

Switzerland

Uruguay

Any data transfers that take place to countries that are not on this list must have a legal contract in place with the data subject, stating they agree for their data to be transferred outside the EU.

This means IT consultants will have to review all website privacy policies and make sure they inform viewers of the potential transfer and allow them to opt-out.

It is important to note that this opt-out process only applies to data being transferred outside the EU, and should not be confused with the mandatory opt-in process required when collecting data.

Using data processors

The GDPR applies to data ‘processors’ and ‘controllers’.

‘Processors’ refers to any action performed on personal data, such as collecting, recording, storing, organising, sharing, erasing, etc.

A ‘controller’ is a processor with additional power. Controllers decide the purpose of the processing activities and methods.

A data processor can be a separate legal organisation or person (excluding employees) that processes data on behalf of the data controller (the business). Examples of data processors include outsourcing companies, third-party software, off-site storage vendors, and cloud providers.

A big challenge for IT departments is managing the access to data by processors, particularly, cloud service providers. Under the GDPR, businesses will no longer be allowed to rely on processors to safely store or process their consumer information.

Although GDPR applies to both processors and controllers, ultimately, controllers are responsible for the security of the data and should only use processors that understand the importance of following the new regulations.

IT departments will need to ensure that every processor that has access to the data is following compliant methods of storing, securing and processing data. Given that the average business now uses more than 1,000 different cloud services alone, this is a huge task for IT consultants.

GDPR also applies to businesses that outsource data from third-party processors. Even if the business has not collected the data directly from the individual, GDPR still applies to how the business stores and manages that data. IT consultants need to ensure that the processor used has followed GDPR regulations when obtaining the data.

Using cookies

Although cookies are only mentioned once in the GDPR, there will be significant repercussions for businesses that use them to track users’ browsing activity. Any data that can be used to identify an individual, either directly or indirectly, is considered personal data.

Although some cookies are not used to identify a users’ identity, many are and will be subject to GDPR. This includes cookies for analytics, advertising and functional services, such as surveys and chatbots.

The GDPR means that websites will no longer be allowed to collect cookies via an implied or opt-out process. From May, websites will either have to completely eradicate cookies or implement a clear opt-in process for the user.

Dealing with breaches

GDPR places new burdens on IT consultants and data managers to prevent the risk of a data breach. Consultants must be alerted in the event of any suspicious activity and potential security threats. They should also be able to spot any unusual access patterns to files with sensitive data.

If a breach were to occur and a data subjects’ information was at risk of being compromised, the business must inform the local data authority promptly. Additionally, the data subject must be notified within 72 hours of the company first becoming aware of the breach.

In most cases, the business’ management will not be aware of the breach until the IT consultant notifies them, or until significant damage is done. Therefore, it is down to the IT consultant to frequently monitor the data and implement security features to alert them of suspicious actions.

Using encryption techniques

Encryption could act as a get out of jail card for IT consultants. GDPR states that if lost data is unintelligible to anyone that is not authorised to access it, the data controller does not have to inform the data subjects.

This can be achieved by using technology that encrypts the data before it is transferred to a data processor or cloud service. Encryption can reduce the risk of data loss as decrypting data is considered impossible where the most secure encryption techniques are used.

The IT consultant should investigate how encryption can be utilised within the business to reduce the risk of data loss.

3. What happens if IT consultants do not comply with GDPR?

Businesses that do not comply with the GDPR will have to pay penalties of up to 4% of annual global turnover, or €20 million – whichever is higher.

Fines will vary depending on the severity of the risk. However, the penalties apply to all businesses, regardless of their size.

GDPR clearly brings new constraints to businesses, and it is the responsibility of the IT consultant to monitor the data practices frequently and make sure that the methods used are fully compliant.

It’s inevitable that IT consultants will have a lot of work on their plate to become GDPR compliant. But for self-employed IT consultants, GDPR is likely to welcome a lot of new clients and revenue their way.